Emergency Patch APSB16-01 For Flash Player 0day CVE-2015-8651

Adobe has release, the December 28th 2015, an emergency patch for Adobe Flash Player dealing with 19 vulnerabilities. This security bulletin has a Critical severity rating.

APSB16-01 is concerning:

  • Adobe Flash Player Desktop Runtime 20.0.0.235 and earlier for Windows and Macintosh
  • Adobe Flash Player Extended Support Release 18.0.0.268 and earlier for Windows and Macintosh
  • Adobe Flash Player for Google Chrome 20.0.0.228 and earlier for Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.228 and earlier for Windows 10
  • Adobe Flash Player for Internet Explorer 10 and 11 20.0.0.228 and earlier for Windows 8.0 and 8.1
  • Adobe Flash Player for Linux 11.2.202.554 and earlier for Linux
  • AIR Desktop Runtime 20.0.0.204 and earlier for Windows and Macintosh
  • AIR SDK 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR for Android 20.0.0.204 and earlier for Android

In particular, a vulnerability with CVE-2015-8651 identifier, that has been discovered by Kai Wang and Hunter Gao of Huawei’s, is reporting exploited in the wild in limited targeted attacks. No details have been provided on this vulnerability, but surely it is time to patch otherwise why did Adobe release an emergency patch during Christmas period, a coordinated disclosure for limited targeted attacks would have been sufficient and could have wait beginning of January.